"I am writing to you to confirm that I have now been notified of this correspondence trail and will offer our full support to you and the (Company 2 Parent) Privacy Office in investigating this."

"I have attached the original email received back on the 10th of April. The email address this was sent to is Company0@redacted.net
Here is a brief history that may help. Feel free to pass this on:"

"Should the marketing agency reach out to you directly in their investigation I have asked that I be copied on the email so I am aware at all times of the process and responses."

"We have a zero tolerance policy for matters of this importance and (Marketer 1) will never again be involved in any project associated with (Company 2).

"The last update was that they would provide me with an update as soon as they have the information back from their “partner”, who they have not named. That was Wednesday last week."

"I have now received two written response for you. One from (Data Broker 1) - a partner of our marketing agency, and one from the database provider, (Marketer 1)."

"The response from (Data Broker 1) seems quite appropriate and reasonable. There are a couple of minor inaccuracies that appear to have been sourced from (Marketer 1)."
"(Marketer 1)'s response, on the other hand, has a number of inaccuracies."
"Feel free to pass any or all of this on to (Data Broker 1)." 

"my expectation is that (Marketer 1) will name an aggregator business that sells personal information to direct marketers and their partners rather than a customer facing company that actually solicits or infers consent from their users directly. If this assumption proves accurate, I will then need to engage in further efforts to solicit the actual source of my personal information from that aggregator. I am happy to leave out any mention of, or make specific references to, (Company 2) in those discussions. While I don’t currently have any plans to make these discussions public, there are a growing number of people cc’d on those other email trails and I can’t guarantee that they won’t end up in a public forum or media."

"In respect of your offer to leave out mention of / specific references to (Company 2) as the matter continues to be investigated I will gratefully accept, but ask that you do what you feel is right and comfortable. I believe the matter at hand warrants thorough investigation and we (individuals and businesses) all have a role to play in ensuring the integrity of what we do."

"It appears that (Government Organisation 1) is sending out unsolicited marketing material via this illegal spammer"

"(Marketer 1) confirmed that a valid opt-in exists for the email address you provided to us, which is why you received an email" 

“I can’t find any evidence of any means to sign-up or log in to that site let alone agree to any terms. The ‘members' their About Us page refers to seem to have no means of becoming members voluntarily."

"For privacy reasons, (Marketer 1) could not (and did not) release your opt-in details to us, or provide us with any other personally identifiable information about you. We understand (Marketer 1) will engage with you directly to manage your subscription and any concerns you may have."

"The representatives of (Marketer 1) have lied in their response to (Government Organisation 1). I hereby grant (Marketer 1 cc'd) and their representatives permission to release my alleged opt-in details to (Government Organisation 1) and by doing so remove any claims to privacy constraints that would otherwise prevent the release of those claimed details."

"Please note (Marketer 1) will now engage with you directly regarding any concerns you have." 

"The suggestion that I should engage with (Government Organisation 1)’s business partners to address legal issues with their actions executing (Government Organisation 1)’s paid engagements is not a sufficient resolution to this complaint, particularly since I had already tried that before raising this complaint directly with (Government Organisation 1) because taking that approach was unsuccessful."

"This unsolicited marketing material has been sent to an email alias that was setup 13 years ago and only ever used for a single specific company. This spammer has illegally obtained this decade old identity profile that has never been used anywhere else and has started sending unsolicited marketing material to this address."

"This information was obtained from the company (Data Broker 3).
(Data Broker 3) contact details can be found below"

"Thanks for the info, however that is not the email address that the unsolicited marketing material was sent to in contravention of the Australian spam act. This actually raises further questions as to why (Data Broker 2) has multiple separate contact details for me since I do not have any relationship with this company and therefore have never given my express or implied permission for my contact details to be used for any form of marketing."

"The email address Company0@redacted.net was also found on our database and this was also sourced via (Data Broker 3).
Both addresses were supplied to (Data Broker 2) by (Data Broker 3) in July 2018."

"Please provide me with the source of my contact details that (Data Broker 3) has been passing on to spammers."

"while I await (Data Broker 3)'s response to my request for the source of my profile data that has presumably been sold on to (Data Broker 2) and others, I am still receiving the same illegally distributed, unsolicited marketing material"
"It seems appropriate to keep everyone responsible for this in the loop each time it re-occurs while I’m awaiting these requested details."

“Your records would have been supressed instantly the moment you emailed us so i can't comment on any further emails you are receiving.
I've also, never dealt with (Company 3) so i can't comment.
Our team is working to find if and where we have collected your data from.
Please bear in mind that COVID lock downs nad peopel working from home are adding time onto requests such as your but i hope to have the information to you by Wednesday.”

"Thanks, Earl. I appreciate the direct response.
I’m genuinely interested in finding out how this honeypot email address found its way into the system."

"If the record can from us i'll come back to you with the source listed on our system by Wednesday."

"Just checking in on the progress. I didn’t see anything on Wednesday or Thursday."

"It is now 1 week past the date that you promised to provide the source of my contact details that appear to have been sold on to other marketing organisations without my permission. I didn’t see a response to my request for a revised ETA last Friday either."

"It has now been 21 days since I requested the source of my personal information from (Data Broker 3)."

"I'll give you a call tomorrow.
Can you send me your number please."

"Given the nature of this issue, I would prefer to keep a digital paper trail of all discussions.
Please send the details requested via email."

"It has now been 34 days since I originally requested the source of my personal information used in these unsolicited marketing campaigns.
Please provide the source of my personal information."

about 7 weeks after initial request

"Apologies for the delay in coming back to you. The current difficulties with lockdown, combined with the fact that it took a while for our team to locate your record mean that i was unable to come back to you until now.

Here is the information that we held on you on our database:
Name - Mr Tristan Austin
Address - <redacted: someone else's current address>
Email - tristan.redacted.net
Collection date : 19/4/2015
Collection Source : Win a Trip to London, Co-reg competition.

I was trying to locate the graphics for the competition but due to the fact that it was over 6 years ago it has to be an unsuccessful search."

There are a few issues here:

1. I never entered any such competition. If I had, it seems odd that I would have entered an old address that I had not lived at for some time at the alleged date of collection. As per the Spam Act 2003, section 16, subsection 5), the evidentiary burden is on (Data Broker 3) to back up this claim. The inaccurate details provided below do not meet this requirement of the act.
2. The information I requested primarily relates to the Company0@redacted.net email address

The false claim regarding issue 1 above aside, it has now been 48 days since I requested the source of my personal information as it pertains the Company0@redacted.net email address.
Please provide the source of my personal information."

see the transcripts and commentary regarding this discussion that went on for a further 3 years (and counting)

"I have decided to not remove this alias or unsubscribe it from this spammer so that I can pass on this information to the people using them for advertising purposes and to make sure they are held accountable for their illegal marketing campaigns and data theft."

“This is a serious allegation, and (Marketer 1) does not hold and would never use or accept any data that was not collected in accordance with the APP guidelines.”

“The other data sits with a partner org. I have submitted a request to their IT team to get the information. Below is what I have as of now”

################
Date of consent: 05/03/2015
Category: F and B
Source Collection Method: Purchase
################

“My request is for the source from which my personal information was acquired. It states below that it was purchased. I need to know from who.”

“Based on advice from the OAIC, I will provide you with the details of the partner organisation (see below). Once I have done this, I have met all my obligations under the ACT, and all records relating to yourself (if any) will be removed from our systems, and I will consider this matter closed.

Company: (Data Broker 3)”

“Thanks. I’ll take this up with Earl.”

“never heard of an organisation named "(Marketer 1)" and definetely never sold them any data. Looks like they are trying to offload the problem.”

“nor have they attempted to contact me or anyone in my organisation ever. There are no missed calls, emails or any attempt at contact.”

“This is an interesting and unexpected development.”

"(Data Broker 3) split into two organisations, a legal and compliant data sharing agreement between (Data Broker 3) and the new entity (Data Broker 4) was created and agreed to by both parties.
(Data Broker 4) (now (Data Broker 5)) was later restructured, and a new entity was formed ((Marketer 1)). (Data Broker 4) (now (Data Broker 5)) also entered into a legal data sharing agreement allowing both parties shared access to the data."

"Earl, are you in agreement with this?"

"    "

“(Data Broker 6)s marketing database contains personal information obtained from publicly available sources, surveys, competitions and other data supply companies. (Data Broker 6) has advised that all individuals in this database have consented to their data being shared with third parties.”

“Unfortunately, (Data Broker 6) has either lied to (Company 4) about the consent status of entries in their database, or they were lied to by whoever illegally sold them my personal information. In either case, their database verifiably does have individuals present that have not consented to receiving commercial messages, and as of this email, (Company 4) is now aware of this."

"I respectfully request that we skip the part where (Company 4) insists that I consented and that I should simply unsubscribe. It should be in (Company 4)’s interests to help track down those responsible for illegally acquiring and selling my personal information to (Company 4) and others.”

"This information is not directly held by (Data Broker 6), however our data source (Data Broker 7) has advised that your details were originally collected on 19/04/2015 as part of a Win a trip to London competition. We understand your information was provided to (Data Broker 7) by (Data Broker 3)"

“Please welcome (Company 4), (Data Broker 6) and (Data Broker 7) to the discussion. The thread copied below shows how yet another unsolicited marketing campaign has led back to (Data Broker 3) as the source of my personal information with no sign of any evidence of consent for my data to be shared with anyone.”

"never dealt with (Data Broker 7) ever and have no idea what they do mate."

"(Data Broker 7 CEO) has since confirmed that (Data Broker 7) received my details via another of his entities called, (Data Broker 8), which obtained it from (Data Broker 3) directly."

"    "

"(Company 5) has potentially suffered a security breach, resulting in the leak of personal information to at least one seemingly unscrupulous business that has been selling my personal information into the direct marketing industry."

"These commercial and government organisations have provided the details of the identity brokers from whom they sourced my personal information, or who used it on their behalf, which include (Data Broker 2), (Data Broker 6), (Data Broker 7), (Data Broker 8) and (Marketer 1). All of whom have ultimately identified (Data Broker 3) as the source of my illegally acquired personal information that only (Company 5) should legally hold."

"I have no idea who (Company 5) are or what they do but if a representative from there is on this call I would welcome them to contact me"
"This is now getting quite ridiculous. Who are (Company 5) mate. Time to get your facts right."

"we require further information"
"Please be assured (Company 5) takes customer privacy seriously and we look forward to hearing from you."

"I have long taken precautions when providing my contact details to businesses. The email address that I provided to (Company 0) uses ‘(Company 0)’ as an alias for the same email account that I am using to send this email. It has never been used to send emails to anyone, not even to (Company 0). It was only ever provided to (Company 0) and only ever used to receive emails during that roughly 9 month period in 2008.
To this day, this email address is not found on any public sites, and does not appear to have been part of any known data breaches."

"At the time I opened my account, the Privacy Policy of (Company 0) was very explicit and clear on my personal information not being used or disclosed for marketing purposes."
"The (Company 0) Privacy Policy remained unchanged 9 months later when I closed my account. "

"(Company 5) has conducted a thorough investigation into your complaint and concluded that we have not disclosed your personal information to (Data Broker 3) nor any other of the named organisations. I can assure you that (Company 5) has not and does not sell our customers personal information data to any entity." 

"(Company 5)’s Security Incident and Event Management systems monitors all systems and alerts on any unauthorised activity. We inspected the logs of the alerts issued by that system regarding unauthorised access to the systems that hold your details and verified that no unauthorised access had occurred to your records. We have also performed a review of the access to these systems since being notified and this review has also found no breach of the systems, or customer data."

"Your personal information, including your account details and email address, was stored on a multi-layered system which is designed to protect the sensitive customer data (Company 5) holds from unauthorised access. These systems include Intrusion Prevention, Network and Host firewalls, network segmentation and strong authentication monitored constantly by a dedicated team in a Security Operations Centre and a Security Incident and Event Management system.

"(Company 5) also provides training to its staff with respect to protection of personal information and that training includes the requirement that information that it holds not be used for any improper purpose."

"The fact that there is even speculation that we somehow gathered this information illegally is not only unfounded but blatantly false.
Tristan, as you can see there was no data breach."

"Regarding these two statements:
- 'we have not disclosed your personal information to (Data Broker 3) nor any other of the named organisations'
- '(Company 5) has not and does not sell our customers personal information data to any entity'

Can you please confirm that (Company 5) 'has not and does not' disclose 'customer's personal information data to any entity'?"

"the terminology used in the current (Company 5) Privacy Policy specifically refers to disclosing (not selling) customer personal information for marketing purposes, including 'the products and services of other people, or related special offers from our business partners.' It is worth noting that the initial batch of unsolicited commercial mail that I received was car or travel related."

"Secondly; it is great to hear that my personal information is now stored securely and that staff are now trained appropriately. I know that neither of these were the case when I was a customer of (Company 0). I have attached an extract of my account closure letter, dated 08/12/2008, which discussed the poor security practices of (Company 0) at the time.

Please confirm the point in time that (Company 5) introduced the security controls capable of preventing or detecting a security breach that could have led to the exfiltration of my customer data. This point in time will be after the period during which (Company 0) call centre staff were required to request each customer’s login name and password over the phone on every interaction and log into their accounts directly."

"we have not disclosed your personal information to (Data Broker 3) nor any other of the named organisations"
"we could only share your personal information for marketing purposes if you had opted into receiving marketing communications"
"We can confirm that we took over full ownership of (Company 0) in February 2019 and were responsible for the security of (Company 0) customer data at this point."

"It is starting to feel like there is a reluctance to categorically state that (Company 5) explicitly did not directly disclose my personal information to any organisations for marketing purposes. Every statement provided so far on this matter has included qualifiers, constraints or methods that limit the scope of the response.

(Company 5) has so far stated:
- 'we have not disclosed your personal information to (Data Broker 3) nor any other of the named organisations'
- '(Company 5) has not and does not sell our customers personal information data to any entity'
- 'we could only share your personal information for marketing purposes if you had opted into receiving marketing communications'

It should not be difficult to make an absolutely explicit statement one way or the other. I would really appreciate it if we could put this question to be bed.

Did (Company 5) (or (Company 0), any other subsidiaries or partners) disclose my personal information for marketing purposes to any organisations?

This should prompt a simple “Yes" or “No” answer, followed by an elaboration on who received my data, what data was disclosed and when, if the answer is “Yes.”"

"Even in this worst case scenario, the point in time that my personal information entered the direct marketing industry was well within the period of unsecured customer data at (Company 0)."

"I would just like to reiterate that (Company 5) did not have management control over (Company 0) in 2008, so we are unable to provide you a simple yes or no answer. As (Customer Resolution Lead) previously mentioned ‘we took over full ownership of (Company 0) in February 2019 and were responsible for the security of (Company 0) customer data at this point’."

"We suggest that any further correspondence regarding this matter should be directed to the Tolling Customer Ombudsman and/or OAIC."

"Please clarify any of these points if they do not accurately represent (Company 5)’s findings provided so far.

• (Company 5) has confirmed that security controls protecting (Company 0) customer data were only introduced in February 2019, after my personal information was exposed, prior to which there were no security controls capable of preventing or detecting a security breach related to (Company 0) customer data
• (Company 5) has confirmed that it, or one of its subsidiaries or partners, may have deliberately disclosed my personal information to the direct marketing industry without my consent, however there is no audit trail that could confirm or rule out such a disclosure

In short; none of the three possibilities presented in my original email on August 29 have been ruled out. They actually all seem more likely now than when I first tabled them."